Chronology of a DDoS: SpamHaus

Around 12:00 GMT March 16, 2013, a distributed denial of service (DDoS) attack took offline both the spamhaus.org website and a portion of its e-mail services. SpamHaus was able to restore connectivity by March 18; however, SpamHaus is still weathering a massive, ongoing DDoS attack. The DDoS attacks have also had less severe but measurable consequences for the Composite Block List (CBL) as well as Project Honey Pot.

The attackers appear to have hijacked at least one of SpamHaus’ IP addresses via a maliciously announced BGP route and subsequently used a Domain Name System (DNS) server at the IP to return a positive result for every SpamHaus Domain Name System-based Block List (DNSBL) query. This caused all SpamHaus customers querying the rogue nameserver to erroneously drop good connections.

According to the New York Times, Sven Olaf Kamphuis is acting as a “spokesman for the attackers.” Kamphuis is allegedly associated with hosting provider “the CyberBunker,” which is housed in an old, five-story NATO bunker located in the Netherlands. CyberBunker has a reputation for “bulletproof hosting,” not only because of the physically fortified infrastructure, but also for their permissive terms of use, stating “Customers are allowed to host any content they like, except child porn and anything related to terrorism. Everything else is fine.” Kamphuis is also allegedly affiliated with the StopHaus group, which publicly claimed responsibility for the BGP hijack attack via Twitter.

Attacks on networks at the London Internet Exchange (LINX), German Internet Exchange (DE-CIX), Amsterdam Internet Exchange (AMS-IX), and most recently, the Hong Kong Internet Exchange (HKIX) are reportedly causing Internet delays across the world. The DDoS is perpetrated via open DNS resolvers using a DNS reflection attack. The current volume of the DDoS is reported to be quite large, topping 140Gbps in some instances, while other reports suggest it may have been as high as 300+ Gbps. The DDoS appears largely directed at SpamHaus’ website, e-mail servers, and DNS IPs, or other connectivity. Reliable sources from within SpamHaus inform Cisco that the blacklist data and infrastructure where it is stored has not come under significant attack.

Other anti-spam organizations have been targeted, though none as heavily as SpamHaus. Both CBL and Project Honey Pot were affected by these same DDoS attacks, but their services appear to be operating normally once again.

The StopHaus group has set up a website and Twitter account where they have publicly expressed their dislike for SpamHaus and have claimed a role in the attacks.

A post from the StopHaus Twitter account on March 24 reads, “@cloudfare if you truely wanna stop DDoS attacks, routers all need to evenly spread cap on out interface. takes a few tb of ram for stats.” That tweet sounds strikingly similar to an e-mail sent by Kamphuis to the North American Network Operators Group (NANOG) mailing list in February 2012 discussing DDoS attacks where Kamphuis states, in part, “there is a fix for it, it’s called ‘putting a f***ton of ram in -most- routers on the internet’ and keeping statistics for each destination… keyword here, is terabytes of ram.” That same post made to the NANOG mailing list links the cb3rob moniker with Sven Olaf Kamphuis. This link is further strengthened by a public Facebook page which also reflects the linkage with the CyberBunker. This moniker correlates with a StopHaus website page that seems to have a transcript of the interview with the New York Times.

No Cisco customers should be directly affected by the DDoS attack; however, network slowdowns or blockages may occur over some links as a result of competing with the DDoS traffic for limited bandwidth. Additionally, at no time were Cisco security devices affected by the BGP injection attack.

We'd love to hear from you! To earn points and badges for participating in the conversation, join Cisco Social Rewards. Your comment(s) will appear instantly on the live site. Spam, promotional and derogatory comments will be removed.

All comments in this blog are held for moderation. Your comment will not display until it has been approved

Some of the individuals posting to this site, including the moderators, work for Cisco Systems. Opinions expressed here and in any corresponding comments are the personal opinions of the original authors, not of Cisco. The content is provided for informational purposes only and is not meant to be an endorsement or representation by Cisco or any other party. This site is available to the public. No information you consider confidential should be posted to this site. By posting you agree to be solely responsible for the content of all information you contribute, link to, or otherwise upload to the Website and release Cisco from any liability related to your use of the Website. You also grant to Cisco a worldwide, perpetual, irrevocable, royalty-free and fully-paid, transferable (including rights to sublicense) right to exercise all copyright, publicity, and moral rights with respect to any original content you provide. The comments are moderated. Comments will appear as soon as they are approved by the moderator.